SlideShare una empresa de Scribd logo

07182013 Hacking Appliances: Ironic exploits in security products

NCC Group
NCC Group

Black Hat Webcast on Hacking Appliances from NCC Group's Ben Williams

Tecnología
1 de 39
Descargar para leer sin conexión
2:53 PM 2:53 PM
2:53 PM 2:53 PM
Proposition • There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 2:53 PM
Which kind of appliances exactly? • Email/Web filtering • Baracuda, Symantec, Trend Micro, Sophos, Proofpoint (F- secure among others) • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix • Others • Network management, single sign-on, communications, file- storage etc. 2:53 PM
Are these product well-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 2:53 PM
How are they deployed? 2:53 PM Firewall or Gateway or UTM Email Filter Web Filter Remote Access Security Management Other Appliances
Sophos Email Appliance (v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 2:53 PM
Easy password attacks… 2:53 PM 2:53 PM
Easy targeted password-attacks… because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, and brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a good chance of gaining administrative access 2:53 PM
Really obvious vulnerabilities • Lots of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 2:53 PM
Oh dear… looks like fun for an attacker 2:53 PM 2:53 PM
Command-injection (and root shell) • Command-injection very common in appliances • Why do I want a root shell? • Foothold on internal network • Reflective CSRF attacks (with reverse shells) • Admins can’t view all email, but an attacker can 2:53 PM
Reflective attack 2:53 PM Attacker
Reflective attack2 2:53 PM
What do you get on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 2:53 PM
Post Exploitation • Stealing email or other traffic • Plain-text passwords on box • Steal credentials from end-users • Adding tools and packages • Attacking internal network • Further exploit-development • More bug-hunting, more 0-day 2:53 PM
Sophos fix info: Update (3.7.7.1) • Reported Oct 2012 • Vendor responsive and helpful • Fix released Jan 2013 • http://sea.sophos.com/docs/sea/release_notes/release_notes .3.7.7.0.html 2:53 PM
Citrix Access Gateway (5.0.4) • Multiple issues • Potential unrestricted access to the internal network 2:53 PM
Hmm… That’s a bit odd… ssh admin@192.168.233.55 2:53 PM
Where’s my hashes to crack? 2:53 PM
Port-forwarding (no password) When SSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 2:53 PM
Port-forward Web UI 2:53 PM 2:53 PM
Potential access to internal systems! Attacker 2:53 PM
Rather ironic: Remote Access Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 2:53 PM
Citrix fix info: Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 2:53 PM
Symantec Email Appliance (9.5.x) • Multiple issuesDescription NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 2:53 PM
Ownage by Email 2:53 PM
Out-of-band XSS and OSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 2:53 PM
2:53 PM 2:53 PM
XSS Email to reverse-shell as root 2:53 PM
Rather ironic • Root-shell via malicious email message • In an email filtering appliance? 2:53 PM
Symantec fix info: Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se curity_advisory&pvid=security_advisory&year=2012&suid=20120827_00 2:53 PM
Trend Email Appliance (8.2.0.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS in user-portal - delivered via email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High Root shell via patch-upload feature (authenticated) High Blind LDAP-injection in user-portal login-screen High Directory traversal (authenticated) Medium Unauthenticated access to AdminUI logs Low Unauthenticated version disclosure Low 2:53 PM
Trend Fix info: Use workarounds • Reported April 2012 • No fixes released or scheduled AFAIK 2:53 PM
Common exploit categories • Almost all Security Appliance products had • Easy password attacks • XSS with either session-hijacking or password theft • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 2:53 PM
Common exploit categories • Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • Other injections (SQLi, LDAP etc) • A few had • Denial-of-Service • SSH misconfiguration • A wide variety of more obscure issues 2:53 PM
Mitigations (Target Organisations) 2:53 PM • Awareness is important • Apply updates when available • Be more demanding with product vendors • ACL - “Defence-in-depth” and “least privilege” • Management interfaces (Web-UI, SSH) • Browsers, Management Jump-box • Pen-test + implement recommendations
Thoughts • Almost all Security Appliances tested were insecure • Interesting state of play in 2012 – 2013 • Are you surprised? • Variable responses from vendors • Some fixed within 3 months, some not at all (or no information) • What about Huawei? 2:53 PM
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland www.nccgroup.com ben.williams ( at ) nccgroup.com @insidetrust

Recomendados

Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
NCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 

Recomendados

Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
NCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)
Sam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Sam Bowne
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
Sam Bowne
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
Sam Bowne
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
Sam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
Sam Bowne
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
Sam Bowne
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 

Más contenido relacionado

La actualidad más candente

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 

La actualidad más candente (19)

Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
 

Destacado

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
NCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
NCC Group
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
NCC Group
 
CALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUE
CALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUECALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUE
CALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUE
Jordi Masnou
 
Pro Archives Systemes Zimbabawe-Profile
Pro Archives Systemes Zimbabawe-ProfilePro Archives Systemes Zimbabawe-Profile
Pro Archives Systemes Zimbabawe-Profile
Faith Uredi
 
Dosier nazis beiras bng castellano
Dosier nazis beiras bng castellanoDosier nazis beiras bng castellano
Dosier nazis beiras bng castellano
GalizaIsrael
 
Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...
Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...
Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...
Smash Tech
 

Destacado (19)

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
CALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUE
CALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUECALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUE
CALENDARIO OFICIAL BENJAMÍN 2º - 8º TORNEO PRIMER TOQUE
 
Pro Archives Systemes Zimbabawe-Profile
Pro Archives Systemes Zimbabawe-ProfilePro Archives Systemes Zimbabawe-Profile
Pro Archives Systemes Zimbabawe-Profile
 
Dosier nazis beiras bng castellano
Dosier nazis beiras bng castellanoDosier nazis beiras bng castellano
Dosier nazis beiras bng castellano
 
Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...
Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...
Luois Alban Batard Dupré | Connecthings - Taller Internet of Things Smash Tec...
 
Importancia del #CommunityManager para el #ecommerce
Importancia del #CommunityManager para el #ecommerceImportancia del #CommunityManager para el #ecommerce
Importancia del #CommunityManager para el #ecommerce
 
Guia turistica sabadell
Guia turistica sabadellGuia turistica sabadell
Guia turistica sabadell
 
You 2.0
You 2.0You 2.0
You 2.0
 
Presentation
PresentationPresentation
Presentation
 
Bondia.cat 05/06/2014
Bondia.cat 05/06/2014Bondia.cat 05/06/2014
Bondia.cat 05/06/2014
 

Similar a 07182013 Hacking Appliances: Ironic exploits in security products

Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
Priyanka Aash
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 

Similar a 07182013 Hacking Appliances: Ironic exploits in security products (20)

Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Securing Your Apache Spark Applications
Securing Your Apache Spark ApplicationsSecuring Your Apache Spark Applications
Securing Your Apache Spark Applications
 
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo VanzinSecuring Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Cloud computing & windows azure intro
Cloud computing & windows azure introCloud computing & windows azure intro
Cloud computing & windows azure intro
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ON
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 

Último

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

07182013 Hacking Appliances: Ironic exploits in security products

  • 3. Proposition • There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 2:53 PM
  • 4. Which kind of appliances exactly? • Email/Web filtering • Baracuda, Symantec, Trend Micro, Sophos, Proofpoint (F- secure among others) • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix • Others • Network management, single sign-on, communications, file- storage etc. 2:53 PM
  • 5. Are these product well-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 2:53 PM
  • 6. How are they deployed? 2:53 PM Firewall or Gateway or UTM Email Filter Web Filter Remote Access Security Management Other Appliances
  • 7. Sophos Email Appliance (v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 2:53 PM
  • 9. Easy targeted password-attacks… because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, and brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a good chance of gaining administrative access 2:53 PM
  • 10. Really obvious vulnerabilities • Lots of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 2:53 PM
  • 11. Oh dear… looks like fun for an attacker 2:53 PM 2:53 PM
  • 12. Command-injection (and root shell) • Command-injection very common in appliances • Why do I want a root shell? • Foothold on internal network • Reflective CSRF attacks (with reverse shells) • Admins can’t view all email, but an attacker can 2:53 PM
  • 15. What do you get on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 2:53 PM
  • 16. Post Exploitation • Stealing email or other traffic • Plain-text passwords on box • Steal credentials from end-users • Adding tools and packages • Attacking internal network • Further exploit-development • More bug-hunting, more 0-day 2:53 PM
  • 17. Sophos fix info: Update (3.7.7.1) • Reported Oct 2012 • Vendor responsive and helpful • Fix released Jan 2013 • http://sea.sophos.com/docs/sea/release_notes/release_notes .3.7.7.0.html 2:53 PM
  • 18. Citrix Access Gateway (5.0.4) • Multiple issues • Potential unrestricted access to the internal network 2:53 PM
  • 19. Hmm… That’s a bit odd… ssh admin@192.168.233.55 2:53 PM
  • 20. Where’s my hashes to crack? 2:53 PM
  • 21. Port-forwarding (no password) When SSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 2:53 PM
  • 23. Potential access to internal systems! Attacker 2:53 PM
  • 24. Rather ironic: Remote Access Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 2:53 PM
  • 25. Citrix fix info: Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 2:53 PM
  • 26. Symantec Email Appliance (9.5.x) • Multiple issuesDescription NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 2:53 PM
  • 28. Out-of-band XSS and OSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 2:53 PM
  • 30. XSS Email to reverse-shell as root 2:53 PM
  • 31. Rather ironic • Root-shell via malicious email message • In an email filtering appliance? 2:53 PM
  • 32. Symantec fix info: Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se curity_advisory&pvid=security_advisory&year=2012&suid=20120827_00 2:53 PM
  • 33. Trend Email Appliance (8.2.0.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS in user-portal - delivered via email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High Root shell via patch-upload feature (authenticated) High Blind LDAP-injection in user-portal login-screen High Directory traversal (authenticated) Medium Unauthenticated access to AdminUI logs Low Unauthenticated version disclosure Low 2:53 PM
  • 34. Trend Fix info: Use workarounds • Reported April 2012 • No fixes released or scheduled AFAIK 2:53 PM
  • 35. Common exploit categories • Almost all Security Appliance products had • Easy password attacks • XSS with either session-hijacking or password theft • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 2:53 PM
  • 36. Common exploit categories • Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • Other injections (SQLi, LDAP etc) • A few had • Denial-of-Service • SSH misconfiguration • A wide variety of more obscure issues 2:53 PM
  • 37. Mitigations (Target Organisations) 2:53 PM • Awareness is important • Apply updates when available • Be more demanding with product vendors • ACL - “Defence-in-depth” and “least privilege” • Management interfaces (Web-UI, SSH) • Browsers, Management Jump-box • Pen-test + implement recommendations
  • 38. Thoughts • Almost all Security Appliances tested were insecure • Interesting state of play in 2012 – 2013 • Are you surprised? • Variable responses from vendors • Some fixed within 3 months, some not at all (or no information) • What about Huawei? 2:53 PM
  • 39. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland www.nccgroup.com ben.williams ( at ) nccgroup.com @insidetrust